Conditional access app control - Microsoft Defender for Cloud Apps | ... https://learn.microsoft.

com/en-us/defender-cloud-apps/proxy-intro-aad

Microsoft Defender for Cloud Apps

conditional access app control
Article • 03/04/2024

In today's workplace, it's not enough to know what's happened in your cloud
environment after the fact. You also need to stop breaches and leaks in real-time, and
prevent employees from intentionally or accidentally putting your data and organization
at risk.

You want to support users in your organization while they use the best cloud apps
available and bring their own devices to work. However, you also need tools to protect
your organization from data leaks and theft in real time. Microsoft Defender for Cloud
Apps integrates with any identity provider (IdP) to deliver this protection with access
and session policies.

For example:

• Use access policies to:

◦ Block access to Salesforce for users coming from unmanaged devices
◦ Block access to Dropbox for native clients.

• Use session policies to:

◦ Block downloads of sensitive files from OneDrive to unmanaged devices
◦ Block uploads of malware files to SharePoint Online

Microsoft Edge users benefit from direct, in-browser protection, indicated by the lock
icon shown in the browser's address bar.

Users of other browsers are redirected via a reverse proxy to Defender for Cloud Apps,
and display an *.mcas.ms suffix in the link's URL. For example, if the app URL is
myapp.com, the app URL is updated to myapp.com.mcas.ms.

This article describes Defender for Cloud Apps's conditional access app control with
Microsoft Entra Conditional Access policies.

Usability

1 of 6 5/29/2024, 11:58 PM
Conditional access app control - Microsoft Defender for Cloud Apps | ... https://learn.microsoft.com/en-us/defender-cloud-apps/proxy-intro-aad

Conditional access app control doesn't require you to install anything on the device,
making it ideal when monitoring or controlling sessions from unmanaged devices or
partner users.

Defender for Cloud Apps uses best-in-class, patented heuristics to identify and control
activities performed by the user in the target app. Our heuristics are designed to
optimize and balance security with usability.

In some rare scenarios, when blocking activities on the server-side renders the app
unusable, we secure these activities only on the client-side, which makes them
potentially susceptible to exploitation by malicious insiders.

System performance and data storage

Defender for Cloud Apps uses Azure Data Centers around the world to provide
optimized performance through geolocation. This means that a user's session may be
hosted outside of a particular region, depending on traffic patterns and their location.
However, to protect your privacy, no session data is stored in these data centers.

Defender for Cloud Apps proxy servers do not store data at rest. When caching content,
we follow the requirements laid out in RFC 7234 (HTTP caching) and only cache public
content.

Reference of supported activities

Conditional access app control uses access policies and session policies to monitor and
control user app access and sessions in real time, across your organization.

Each policy has conditions to define who (which user or group of users), what (which
cloud apps), and where (which locations and networks) the policy is applied to. After
determining the conditions, route your users first to Defender for Cloud Apps, where
you can apply the access and session controls to protect your data.

Access and session policies include the following types of activities:

ﾉ Expand table

Activity Description

2 of 6 5/29/2024, 11:58 PM
Conditional access app control - Microsoft Defender for Cloud Apps | ... https://learn.microsoft.com/en-us/defender-cloud-apps/proxy-intro-aad

Activity Description

Prevent data Block the download, cut, copy, and print of sensitive documents on, for
exfiltration example, unmanaged devices.

Require Reevaluate Microsoft Entra Conditional Access policies when a sensitive

authentication action occurs in the session, such as requiring multifactor authentication.
context

Protect on Instead of blocking the download of sensitive documents, require

download documents to be labeled and encrypted when you integrate with Microsoft
Purview Information Protection. This action ensures the document is
protected and user access is restricted in a potentially risky session.

Prevent upload of Ensure that unlabeled files with sensitive content are blocked from being
unlabeled files uploaded until the user classifies the content. Before a sensitive file is
uploaded, distributed, and used by others, it's important to make sure that
the sensitive file has the label defined by your organization's policy.

Block potential Protect your environment from malware by blocking the upload of
malware potentially malicious files. Any file that is uploaded or downloaded can be
scanned against Microsoft threat intelligence and blocked instantaneously.

Monitor user Investigate and analyze user behavior to understand where, and under
sessions for what conditions, session policies should be applied in the future. Risky
compliance users are monitored when they sign into apps and their actions are logged
from within the session.

Block access Granularly block access for specific apps and users depending on several
risk factors. For example, you can block them if they're using client
certificates as a form of device management.

Block custom Some apps have unique scenarios that carry risk, for example, sending
activities messages with sensitive content in apps like Microsoft Teams or Slack. In
these kinds of scenarios, scan messages for sensitive content and block
them in real time.

For more information, see:

• Create Microsoft Defender for Cloud Apps access policies

• Create Microsoft Defender for Cloud Apps session policies

Supported apps and clients

Apply session and access to controls to any interactive single sign-on that uses the

3 of 6 5/29/2024, 11:58 PM
Conditional access app control - Microsoft Defender for Cloud Apps | ... https://learn.microsoft.com/en-us/defender-cloud-apps/proxy-intro-aad

SAML 2.0 authentication protocol. Access controls are also supported for built-in mobile
and desktop client apps.

Additionally, if you're using Microsoft Entra ID apps, apply session and access controls
to:

• Any interactive single sign-on that uses the Open ID Connect authentication
protocol.
• Apps hosted on-premises and configured with the Microsoft Entra application
proxy.

Defender for Cloud Apps identifies apps using data from the cloud app catalog. If
you've customized apps with plugins, any associated custom domains must be added to
the relevant app in the catalog. For more information, see Working with the risk score.

７ Note

Apps with non-interactive sign-in flows, such as the Authenticator app and other
built-in apps, cannot be used with access controls.

Pre-onboarded apps
Any web app configured using the previously mentioned authentication protocols can
be onboarded to work with access and session controls. In addition, the following apps
are already onboarded with both access and session controls for Microsoft Entra ID.

７ Note

It's required to route your desired applications to access and session controls, and
to perform a first login.

• AWS
• Box
• Concur
• CornerStone on Demand
• DocuSign
• Dropbox

4 of 6 5/29/2024, 11:58 PM
Conditional access app control - Microsoft Defender for Cloud Apps | ... https://learn.microsoft.com/en-us/defender-cloud-apps/proxy-intro-aad

• Egnyte
• GitHub
• Google Workspace
• HighQ
• JIRA/Confluence
• LinkedIn Learning
• Microsoft Azure DevOps (Visual Studio Team Services)
• Microsoft Azure portal
• Microsoft Dynamics 365 CRM
• Microsoft Exchange Online
• Microsoft OneDrive for Business
• Microsoft Power BI
• Microsoft SharePoint Online
• Microsoft Teams
• Microsoft Yammer
• Salesforce
• Slack
• Tableau
• Workday
• Workiva
• Workplace from Meta

If you're interested in a specific app being pre-onboarded, send us details about the
app. Be sure to send the use case you're interested in for onboarding it.

Supported browsers
While session controls are built to work with any browser on any major platform on any
operating system, we support the following browsers:

• Microsoft Edge (latest)

• Google Chrome (latest)
• Mozilla Firefox (latest)
• Apple Safari (latest)

Microsoft Edge users benefit from in-browser protection, without redirecting to a

reverse proxy. For more information, see In-browser protection with Microsoft Edge for

5 of 6 5/29/2024, 11:58 PM
Conditional access app control - Microsoft Defender for Cloud Apps | ... https://learn.microsoft.com/en-us/defender-cloud-apps/proxy-intro-aad

Business (Preview).

App support for TLS 1.2+

Defender for Cloud Apps uses Transport Layer Security (TLS) protocols 1.2+ to provide
best-in-class encryption, and built-in client apps and browsers that do not support TLS
1.2+ aren't accessible when configured with session control.

However, SaaS apps that use TLS 1.1 or lower will appear in the browser as using TLS
1.2+ when configured with Defender for Cloud Apps.

Related content
For more information, see:

• Conditional access app control known limitations

• Troubleshooting access and session controls

Feedback
Was this page helpful?  Yes  No

Provide product feedback

6 of 6 5/29/2024, 11:58 PM